Vault7: CIA Hacking Tools Revealed
Navigation: » Latest version
Owner: User #71467
Cytolysis-1h HG v3.1.6 Delivery
HG v3.1.6 was delivered for Cytolysis on 1/12/16 for SUP720. Testing scope will include ACE, SMITE and Tunnel.
CONOP will be:
- Hop through 3 flux nodes - 1 internet, 1 osmo subnet, 1 admin mgmt subnet - and IACInternational Access Code attack VLANVirtual Local Area Network 1 IP of target - XXX.XXX.X.XXX (TOPWAY-NET[CN])
- Trigger port will be UDPUser Datagram Protocol 161, host to impersonate will be explicitly set to a host not on VLANVirtual Local Area Network 10 or VLANVirtual Local Area Network 2
- Establish CTCounter Terrorism session over HTTPSHypertext Transfer Protocol Secure back through flux node 4
- Use ACEApplication Control Engine (Module) commands to verify state of the device
- Use socket get_arp_survey_data and output of "show ip nat trans" to survey traffic from VLANVirtual Local Area Network 19
- SMITE hosts on target customer network - VLANVirtual Local Area Network 19
- Use Tunnel to appear as if Operator is on VLANVirtual Local Area Network other than VLANVirtual Local Area Network 19 or VLANVirtual Local Area Network 2, and from there, nmap VLANVirtual Local Area Network 19.
Testing Summary
- Note in test report that module 2 is in state PwrDown and should be verified before proceeding
- Trigger packets that go through the target due to HG trigger sequence mis match will be caught and logged by outbound customer ACLs potentially - we will trigger to IP of device on port UDPUser Datagram Protocol 161
- Comms packets are SSLv3 - need to consider if this is noticeable on this network
- Hardware difference between test device and target - daughter card on 4 port 10G line card. This hardware difference has been accepted.
Testing Notes
-
Install
-Memory at start of test:
cytolysis-1#show mem
Head Total(b) Used(b) Free(b) Lowest(b) Largest(b)
Processor 453ACAF0 381990160 101796608 280193552 276504440 218810732
I/O 8000000 67108864 13902404 53206460 53130184 53130428-attacked with IACInternational Access Code via flux
-CPU hit a peak of 56% during IACInternational Access Code attack
-Uploaded HG - show mem after install
cytolysis-1#show mem
Head Total(b) Used(b) Free(b) Lowest(b) Largest(b)
Processor 453ACAF0 381990160 105273148 276717012 275964416 216779752
I/O 8000000 67108864 13902404 53206460 53130184 53130428CPU hit one peak of 15% during install
Used an interpacket delay of .1 for remote
-Seeds traffic has been running
-Established CTCounter Terrorism session impersonating XXX.XXX.X.XX (TOPWAY-NET[CN])
-success! confirmed that XXX.XXX.X.XX (TOPWAY-NET[CN]) can still browse
[XXX.XXX.X.XX (TOPWAY-NET[CN])]> packet get_assist_threshold_status
[Success]
Maximum Packets Per Second: 1500
Number of Packets Counted Per Sample: 3000
Highest Observed Packets Per Second: 173
Number of Overflows Since Settings Last Changed: 0
Time of Last Overflow: --
************ Success ************
[packet get_assist_threshold_status]
-no log messages or snmp traps observed, cpu normal
*will want to impersonate a host that is not very busy, since an assist will be laid down for that host
cytolysis-1#show ip cef XXX.XXX.X.XX (TOPWAY-NET[CN])
XXX.XXX.X.XX (TOPWAY-NET[CN])/32
receive
cytolysis-1#
-Quit the CTCounter Terrorism session and confirmed that after about 10 seconds, the RAA dropped:
cytolysis-1#show ip cef XXX.XXX.X.XX (TOPWAY-NET[CN])
XXX.XXX.X.XX (TOPWAY-NET[CN])/32
attached to Vlan3
cytolysis-1# - Uninstall
-Re-established CTCounter Terrorism session, this time impersonating XXX.XXX.X.XX (TOPWAY-NET[CN]). No seeds currently running on that host.
-Entered device uninstall-hg -mp -f to uninstall HG
-no syslog or snmp trap observed
-CPU from device after uninstall
cytolysis-1# show proc cpu hist
22222 44444 1111144444
100
90
80
70
60
50
40
30
20
10
0....5....1....1....2....2....3....3....4....4....5....5....
0 5 0 5 0 5 0 5 0 5
CPU% per second (last 60 seconds)1 1 1 1 1 1 1
0565955565466568566596566691570777976644965686666586545555
100
90
80
70
60
50
40
30
20 * * *
10 ************************************** ************* ****
0....5....1....1....2....2....3....3....4....4....5....5....
0 5 0 5 0 5 0 5 0 5
CPU% per minute (last 60 minutes)
* = maximum CPU% # = average CPU%521121211212212111212222211242112111211112122
606719379081263898081510099121890987289981916
100
90
80
70
60 *
50 *
40 * *
30 * * * *
20 *********************************************
10 *********************************************
0....5....1....1....2....2....3....3....4....4....5....5....6....6....7.
0 5 0 5 0 5 0 5 0 5 0 5 0
CPU% per hour (last 72 hours)
* = maximum CPU% # = average CPU%cytolysis-1#
cytolysis-1#show mem
Head Total(b) Used(b) Free(b) Lowest(b) Largest(b)
Processor 453ACAF0 381990160 101863176 280126984 275964416 218810732
I/O 8000000 67108864 13902404 53206460 53130184 53130428
RAA for impsonated host from CTCounter Terrorism session has dropped
cytolysis-1#show ip cef XXX.XXX.X.XX (TOPWAY-NET[CN])
XXX.XXX.X.XX (TOPWAY-NET[CN])/32
attached to Vlan3
cytolysis-1# -
Modularity
-Reloaded DUTDevice Under Test to start with a clean device
-Flux nodes up, Seeds running on VLANVirtual Local Area Network 19
-IAC attacked and uploaded HG
-Established CTCounter Terrorism connection with XXX.XXX.X.XX (TOPWAY-NET[CN]) as impersonated host, no punch-throughs of traffic to impersonated host
-Confirmed that impersonated host is still able to browse, did not observe any syslogs or traps sent by DUT
-Stop/Start/Restarted ACEApplication Control Engine (Module) module - verified functionality after each start
-Testing FB modularity and functionality with smite. Started up Victim3 VMVirtual Machine and web browsed with no rules active and saw the following print:
Jan 19 19:03:08.193 C6506: %SEC-6-IPACCESSLOGP: list Core-Net-filter-in denied tcp X.X.X.XX (LVLT-GOGL-8-8-8[US])(80) (Vlan2 0015.fa80.efbf) -> 10.11.0.13(2213), 1 packetC
- Added a rule for SMITE and saw the following
cytolysis-1#show ip cef 10.11.0.13
10.11.0.13/32
attached to Vlan19
cytolysis-1#
Jan 19 19:09:02.877 C6506: %SEC-6-IPACCESSLOGP: list Core-Net-filter-in denied tcp X.X.X.XX (LVLT-GOGL-8-8-8[US])(80) (Vlan2 0015.fa80.efbf) -> 10.11.0.13(2213), 6 packets
-successfully SMITE'd 3 more times with no prints
-restarting FB
-no rules active, browsed from victim, cleared cache and went to all 3 web servers 10x, no prints
-activated SMITE rule and ran 7 times - then saw the following prints:Jan 19 20:02:55.049 C6506: %SEC-6-IPACCESSLOGP: list Customer-2-filter-in denied tcp XXX.XXX.X.XX (TOPWAY-NET[CN])(1041) (Vlan19 0050.5688.c5e6) -> X.X.X.XX (LVLT-GOGL-8-8-8[US])(7777), 1 packet
Jan 19 20:08:04.769 C6506: %SEC-6-IPACCESSLOGP: list Customer-2-filter-in denied tcp XXX.XXX.X.XX (TOPWAY-NET[CN])(1041) (Vlan19 0050.5688.c5e6) -> X.X.X.XX (LVLT-GOGL-8-8-8[US])(7777), 7 packets
Jan 19 20:09:04.801 C6506: %SEC-6-IPACCESSLOGP: list Core-Net-filter-in denied udp 10.9.8.22(137) (Vlan2 0021.d80d.cfc1) -> XXX.XXX.X.XX (TOPWAY-NET[CN])(137), 3 packets
Jan 19 20:13:04.929 C6506: %SEC-6-IPACCESSLOGP: list Customer-2-filter-in denied tcp XXX.XXX.X.XX (TOPWAY-NET[CN])(1041) (Vlan19 0050.5688.c5e6) -> X.X.X.XX (LVLT-GOGL-8-8-8[US])(7777), 2 packets
Jan 19 20:18:05.093 C6506: %SEC-6-IPACCESSLOGP: list Customer-2-filter-in denied tcp XXX.XXX.X.XX (TOPWAY-NET[CN])(1041) (Vlan19 0050.5688.c5e6) -> X.X.X.XX (LVLT-GOGL-8-8-8[US])(7777), 3 packetsC - Testing SMITE
- Starting over with Debian 8.2. Installed ICON on TR, setup flux, cleaned DUT
- Restarted Victim 3 - web browsed 15 times to all three web servers and observed no prints
- Web browsed directly to iframe url 15 times and observed no prints
- Attacked with IACInternational Access Code and uploaded HG from new ICON 8.2 VMVirtual Machine - impersonating XXX.XXX.X.XX (TOPWAY-NET[CN])
- Restarted victime 3. web browsed 15 times to all three web servers